Commit 3fb0e229 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

more refactoring

parent 7c21e57d
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK
ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMTQxMDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQG
EwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQy
MREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBDQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+exU5NEFj6MJsXKZDmMwys
E1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7vHgV9lestjaKpTbOc5/MZNrun8XzmCB5h
J0R6lvSoNNviQsil2zfVtefkQnI/tBPPiwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW
61fo8BBZ321wDGZq0GTlqKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5A
B8f2IHpTeIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyMLfzcC
AwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBQe
BaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAEC
AjBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNB
Q2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwJQYIKwYB
BQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAC0RBjjW
29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZ
sHURKsISNrqOcooGTie3jVgU0W+0+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco
74fzYefbZ/VS29fR5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bj
zw72hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250LoRCASN18J
yfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXEDSmyj4jWG3R7Z8TED9xNN
CxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/ieoQp0UM/L8zfP527vWjEzuDN5xwxMnhi
+vCToh7J159o5ah29mP+aJnvujbXEnGanrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp
/cqf9ZhEtkGcQcIImH3boJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fq
rrp1WnhHOjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
-----END CERTIFICATE-----
# Creates the OpenSSL hash symlinks for certificates. Factored out for ensure
# handling and since it's used for both the main certificate and for the
# Comodo root certificate.
# Creates the OpenSSL hash symlinks for certificates. Factored out for
# ensure handling and since it's used for both main certificates and
# root certificates.
define su_apache::cert::hash(
$ensure = 'present',
$directory = '/etc/ssl/certs'
Enum['present', 'absent'] $ensure = 'present',
String $directory = '/etc/ssl/certs',
) {
if !($ensure in [ 'present', 'absent' ]) {
fail("ensure must be present or absent, not $ensure")
}
$hashcommand = "`openssl x509 -noout -hash -in ${directory}/${name}`"
# Create the link if ensure is present.
if ($ensure == 'present') {
exec { "openssl hash link ${directory}/${name}":
command => "ln -s ${directory}/${name} ${directory}/${hashcommand}.0",
path => ['/usr/bin', '/usr/sbin'],
unless => "[ -f \"${directory}/${hashcommand}.0\" ]",
require => $::osfamily ? {
'Debian' => [ File["${directory}/${name}"],
......
# Install an InCommon-provided certificate.
# The key is downloaded via wallet. The certificate will be symlinked to
# /etc/ssl/certs/server.pem and the key to /etc/ssl/private/server.key.
# The root/intermediate certificate chain is installed as the bundle
# Syntax:
#
# su_apache::cert::comodo { "<hostname>":
# ensure => present,
# keyname => "ssl-key/<hostname>",
# owner => "root",
# group => $operatingsystem ? {
# debian => "ssl-cert",
# ubuntu => "ssl-cert",
# redhat => "root",
# },
# mode => "0640",
# identity => "<hostname>",
# symlink => false,
# }
#
# <hostname> MUST be full-qualified.
#
# Only ensure need be specified; the other listed parameters are the defaults.
# <hostname> should be the unqualified hostname. The public certificate
# should be stored in modules/apache/files/certs/<hostname> (defaulting to
# <hostname>).
########################################################################################
# $name: This should be the FULLY qualified name. For example "example.stanford.edu". You can
# also provide something like "example.stanford.edu-saml" for a SAML key-pair. $name implies
# the wallet name and certificate filename:
#
# wallet name -> "ssl-key/$name"
# cert_files -> $name
#
# Example. If $name is "example.stanford.edu-saml" then the wallet name will be
# "ssl-key/example.stanford.edu-saml" and the certificate pulled from the cert_files
# module will be "example.stanford.edu-saml".
#
# $ensure: set to present to install the certificate, absent to uninstall. This parameter
# is required and defaults to 'present'.
#
# $keyname: the Wallet file object name. Defaults to "ssl-key/$name"
#
# $owner: file owner of the private key. Defaults to "root".
#
# $group: group owner of the private key. Default will depend on the OS.
#
# $identity: If the file name in the cert_files module does NOT match $name, you can specify
# the file name with $identity. Example:
#
# su_apache::cert::comodo { 'example.stanford.edu':
# identity => 'example2.stanford.edu',
# }
#
# This will install the certificate "example.stanford.edu" but pull use the certificate file
# "example2.stanford.edu" from the cert_files module.
#
# $symlink: if set to true will create a symlink from the cert and private key to the filenames
# "server.pem" and "server.key", respectively. Defaults to false.
########################################################################################
define su_apache::cert::incommon(
Enum['present', 'absent'] $ensure = 'present',
Optional[String] $keyname = undef,
String $owner = 'root',
Optional[String] $group = undef,
String $mode = '0640',
Optional[String] $identity = undef,
Boolean $symlink = false,
) {
# Include the InCommon root/intermediate chain bundle.
if ($ensure == 'present') {
include su_apache::cert::root::incommon
}
# Install the private key using Wallet.
case $keyname {
undef: { $key = "ssl-key/${name}" }
default: { $key = $keyname }
}
# Calculate the group name.
$group_name = $group ? {
undef => $::operatingsystem ? {
'debian' => 'ssl-cert',
'ubuntu' => 'ssl-cert',
'redhat' => 'root',
'CentOS' => 'root',
},
default => $group,
}
base::wallet { $key:
ensure => $ensure,
type => 'file',
path => "/etc/ssl/private/${name}.key",
owner => $owner,
group => $group_name,
mode => $mode,
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
# Install the public certificate.
file { "/etc/ssl/certs/${name}":
ensure => $ensure,
source => $identity ? {
undef => "puppet:///modules/cert_files/${name}",
default => "puppet:///modules/cert_files/${identity}",
},
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
# Create the OpenSSL hash links.
su_apache::cert::hash { "${name}.pem": ensure => $ensure }
# Install the server symlinks unless symlink is set to false.
if ($symlink) {
file { '/etc/ssl/certs/server.pem':
ensure => $ensure ? {
present => link,
absent => absent,
default => $ensure,
},
target => "${name}.pem",
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
file { '/etc/ssl/private/server.key':
ensure => $ensure ? {
present => link,
absent => absent,
default => $ensure,
},
target => "${name}.key",
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
}
}
# Install a root certificate. Creates the hash symlink.
#
# This define assumes that both the openssl and ca-certificates
# package Puppet resources have been defined elsewhere; if not,
# raise a Puppet error.
define su_apache::cert::root(
Enum['present', 'absent'] $ensure = 'present'
) {
file { "/etc/ssl/certs/${name}.pem":
ensure => $ensure,
source => "puppet:///modules/su_apache/etc/ssl/certs/${name}.pem",
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
su_apache::cert::hash { "${name}.pem": ensure => $ensure }
}
# Install the required InCommon root and intermediate certificates.
class su_apache::cert::root::incommon {
# Install all the known Comodo and InCommon intermediate certificates.
su_apache::cert::root {
[
'incommon-usertrust-2024',
]: ensure => present;
}
# [Added 30-Jan-2020] Install a copy of the newest Comodo certificate
# bundle with the 2024 InCommon intermediate and the new 2038 UserTrust
# root certificate. See also
# https://ikiwiki.stanford.edu/service/certreq/incommon2020/
file { '/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem':
source => 'puppet:///modules/apache/etc/ssl/certs/incommon2024-usertrust2038-bundle.pem',
require => $::osfamily ? {
'Debian' => Package['ca-certificates'],
'RedHat' => $::lsbmajdistrelease ? {
'6' => Package['ca-certificates'],
default => Package['openssl'],
},
},
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment